15 January 2018

Creating your virtual Data Center

One
of my first projectsas a system administrator at Ariadnex was
for the Government of Extremadura where I
managed virtual machines, datastores and
virtual networks into virtual data centers. Therefore,
I learnt a lot about virtual infrastructures under
XenServer and VMware. However, today, virtual data centers are moving
from on-premise to the cloud, either Public
Cloud, Private Cloud or
Hybrid Cloud, where you
can even pay-as-you-go (PAYG). For
instance, we can deploy our data center into the
major cloud providers such asMicrosoft
Azure, Google
Cloud Platform or Amazon
Cloud “easily” and pay as we use.

Lately,
I’m reading, learning and working with AWS
Cloud where I’ve created a
virtual data center with firewalls,
Elastic
Load Balancer, WAF,
EC2 instances, etc and there are a lot of
things to take into account to deploy a virtual data center into
Amazon Cloud. For instance, VLAN and ARP
protocols don’t exist into AWS Cloud. Instead, VPC
(Virtual Private Cloud) is used to isolate traffic, where we can
create subnets into Availability Zones.
What’s more, /24 subnets have 251
addresses available, instead of 254 addresses, because AWS needs three IP addresses
for internal routing.

Choosing IP address ranges for your subnets

Routing
is another mess into AWS, if we are used to traditional routing. VPC
comes with a default route table but we can assign different route
tables to different subnets, which contain rules for which packets go
where. In addition, there are Internet
Gateways where packets are sent if we want them to reach the
Internet. On the other hand, we can deploy
NAT instances in a public VPC subnet to enable outbound Internet
traffic from instances in a private subnet. By
default, private VPC subnets are routable internally while public
subnets reach Internet through an
Internet Gateway.

NAT access to Internet

Security
is important too when we are creating a virtual data center. There
are two kind of firewalls into AWS. The deprecated
one, which is a
stateless firewall, where we can create Network ACLs to
allow or deny
ports and IP addresses. On the other hand,
the traditional one, which is a stateful
firewall, where we can create Security Groups to
allow or deny
traffic to
instances. For example, the Security Group
“MyWebServers” to allow all traffic from the Internet, and the
Security Group “MyBackends” to allow only traffic from
“MyWebServers”. Moreover, dedicated
cloud firewall AMI can be deployed from AWS Marketplace like
FortiGate, Palo Alto and CheckPoint which offer many additional and
important security functions, like IDS/IPS.

Security Groups = Stateful Firewall

Each
organization will have their own requirements thus we’ll have to
design the virtual data center accordingly. For instance, if we have
several VPCs and we want to exchange information between them, we
should configure
VPC peering, or if we have to connect our on-premise data center to
AWS, we can use Virtual
Private
Networks (VPN), AWS Direct Connect
or both. Router
53 is another AWS Service interesting for DNS resolution, and VPC
Flow Logs are useful for visibility and troubleshooting. As you can
see, there are many
infrastructure services into AWS and we’ll have to choose the right
services to deploy a reliable and cost-effective virtual data center.

AWS Direct Connect

I
think, this is just the beginning of the
real cloud computing, where you deploy services around the world and
you pay-as-you-go. They, I mean Amazon, Google and Microsoft, are
changing the paradigm of systems, networks and storage, and we should
pay attention of this amazing world.